SRX Services Gateway
SRX Services Gateway

IDP Exempt Rulebases with logging enabled ?

‎11-10-2011 02:19 PM

Hi

 

I have an IDP policy on a SRX with 2 rules.

 

Rule 1 matches Critical prefined attack groups

 

Rule 2 matches Major predined attack groups

 

Both log alert and block

 

One predefined attack within the critical attack group is tiggering and blocking traffic. I have created an exempt rulebase for this one attack. It now is not dropping the traffic or showing up in the attack table, but i'm unable to still log alerts from this attack because the exempt rulebase doesn't allow the " THEN " option like normal IDP rule options.

 

How can I make this one attack not block and still alert ?

 

I have removed the exempt rulebase, and made another IDP rule within the IDP policy and just matched this one attack with alert and no action. But as soon as the second rule in the IDP policy matches the crititcal attack group it matches again and blocks.

 

So still no joy

 

Any ideas please ?

CCNA CCNP JNCIA-JNCIS-JNCIP-SEC
4 REPLIES 4
SRX Services Gateway
Solution
Accepted by topic author beerglass007
‎08-26-2015 01:27 AM

Re: IDP Exempt Rulebases with logging enabled ?

[ Edited ]
‎11-10-2011 05:34 PM

The IDP rulebase doesn't work like a normal firewall rulebase that terminates by default on a match.   It will traverse through the policy and it can match multiple criteria.  It takes the most severe action and uses that on a multimatch.  The only way to get this to work in the way you are looking for is to move the rule to the top of the rulebase, and to make it a terminal rule.  So that once it matches it stops processing in the IDP rulebase.

 

edit the specific rule, and "set terminal"  to make it a terminal rule.

 

Hope this helps.

 

 

JNCIE-ENT #424 JNCIP-SEC, JNCI
Juniper Ambassador
@traceoptions

**If this worked for you please flag my post as an Accepted Solution so others can benefit.**
SRX Services Gateway

Re: IDP Exempt Rulebases with logging enabled ?

‎11-11-2011 01:38 PM

Excellent

 

That works great

 

Thanks

 

 

CCNA CCNP JNCIA-JNCIS-JNCIP-SEC
SRX Services Gateway

Re: IDP Exempt Rulebases with logging enabled ?

‎01-30-2019 06:32 AM

Hello team,

I have an issue related to this.

I am trying to make an idp rule to inspect a few customized pattern which has to be permitted, and then drop anything else.

I have created a first rulebase which matches correctly and has "no action", and then a second rulebase which denies everything.

The problem is that traffic is beind dropped because of the most severe action.

I have seen this post and thought I could make a terminal rulebase, but I guess that way won't deny any traffic.

This is an example:


set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" description "Whitelist: Permitted ranges"
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIPSmiley FrustratedIP:HEADER-1000
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIPSmiley FrustratedIP:HEADER-2000
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then action recommended
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then notification log-attacks

set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" terminal
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" description "Blacklist: Denied ranges"
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match attacks custom-attacks VOIPSmiley FrustratedIP:RANGE-ANY
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then action drop-packet
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then notification log-attacks
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then severity info

 

I need some help.

 

 

SRX Services Gateway

Re: IDP Exempt Rulebases with logging enabled ?

‎01-30-2019 06:37 AM

Hi,

 

I will advise to create a new post for your issue in specific because this post is already in Resolved status.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!